July 2010 - Posts
A student asked whether he can have multiple WDS server on the same network, actually:
You can have multiple Windows Server 2008 WDS servers on the network.
However, you will not have an option to choose which WDS server you would like to connect.
When PXE booting from a client, The first WDS server who responds to it will server this client. If you would like to manually set which WDS server will serve a client, you can prestage the client, update IP helper or use DHCP options.
For more information, you can refer to the following articles:
Windows Deployment Services: Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc732729(WS.10).aspx
Prestaging Client Computers
http://technet.microsoft.com/en-us/library/cc770832(WS.10).aspx
Managing Network Boot Programs
http://technet.microsoft.com/en-us/library/cc732351(WS.10).aspx
A student asked how can he know which machines were deployed with WDS, after some searching, I found this:
If you use WDS to deploy OS, after you install a computer via the WDS server
(you may need to configure the policy so that computers can be automatically joined into your domain),
the computer account will contain an attribute indicating that it is installed via a WDS server,
the netbootGUID. If this attribute is not empty, this usually means that,
this machine is installed via the network (and in your environment it is the WDS server).
So, you can write a script to search the whole AD to find out the computer account
object which has a positive netbootGUID, and that computer is installed from the network.
If the multicasting is very slow, you can check the following two settings to see which impacts the performance:
1. Network Profile on the Network Settings tab of the WDS server properties. However, this relates to the physical network adapters and cables.
2. The lowest client machine.
If you have more than one client machines joined in the multicast session, and if these machines have different hardware configurations, the speed will be impacted by the slowest one. You can take a look at the following article for more detailed information on this:
http://technet.microsoft.com/en-us/library/cc754137(WS.10).aspx
If these methods don't change the performance, and if you think the speed is really very slow, you can test several client computers on your network, and compare the performance with the test results outlined in the "Performance and Scalability Expectations" section in the following article:
Optimizing Performance:
http://technet.microsoft.com/en-us/library/cc732088(WS.10).aspx
Please note that the test results may vary on different hardware devices and settings (both on server and client machines).
Besides, here is another article just for your reference:
Analyzing Performance Problems:
http://technet.microsoft.com/en-us/library/cc772277(WS.10).aspx
If you want to control your WDS server to respond to specific NIC card, you can:
use WDSUTIL commands as follows:
1. Open an elevated command prompt.
2. Run WDSUTIL /Set-Server /BindPolicy /Add /Address:<IP or MAC address> /AddressType:{IP|MAC}
This adds the specified network interface to the list in the Registry.
3. Run WDSUTIL /Set-Server /BindPolicy /Policy:Include
This forces PXE provider to listen on these interfaces listed in the list.
If you use "/Policy:Exlude" instead of "/Policy:Include ", then the interfaces in the list will be excluded.
For more details about this, please refer to:
How to Manage Your Server:
http://technet2.microsoft.com/windowsserver2008/en/library/1415cf2d-99cf-46e5-8626-44141fdb56f91033.mspx?mfr=true
Microsoft have an article about how to automatically import a customized security template into a computer.
Windows XP Security Guide:
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch05.mspx
Those steps work on Windows Server 2008! So you can just follow it.
Here are the main steps for your reference:
1. Create a custom template using the MMC Security Templates snap-in, and save it to a folder.
2. Create a new security database associated with the security template you created in step 1, and save it to the same folder.
3. You can put this folder in the $OEM$\$1 on the WDS server, so that this folder can be copied to target machine during the deployment.
4. Use secedit command to import the security configuration. You can add this entry as following into FirstLogonCommands section of an unattended answer file:
Secedit /configure /db <DatabasePath> /cfg <infFilePath>
Please refer to the help document included in the Windows AIK for details on the unattended answer file.
A student asked whether we can use a USB stick to deploy a WIM image to client PC, without the use of WDS.
After some searching, I found the following method:
1) We should create bootable Windows PE on USB disk
2) Use sysprep tool to prepare install.wim and copy it to USB disk
3) Customize a script used in a Windows PE Image to realize the automatic deployment.
I assume you have successfully completed the step 1 and 2. I will mainly focus on step 3.
Windows PE provides three methods for launching custom scripts: Winpeshl.ini, Startnet.cmd, and Unattend.xml. We can create our own version of Startnet.cmd, Startnet.cmd or Unattend.xml to run a specific set of commands, batch files, or scripts.
1. Winpeshl.ini method
Add a Customized Script with Winpeshl.ini. We can launch a customized shell application by using a file called Winpeshl.ini. Winpeshl.exe will process the settings in Winpeshl.ini during boot.
About how to create Winpeshl.ini file, please refer to the chapter "Include a Custom Script in a Windows PE Image WAIK" in WAIK help document.
2. Startnet.cmd method
Add a Customized Script with Startnet.cmd. We can add customized command-line scripts in Windows PE by using Startnet.cmd. By default, Windows PE includes a Startnet.cmd script located at %SYSTEMROOT%\System32 of your customized Windows PE image.
About how to create Startnet.cmd file, please also refer to the chapter "Include a Custom Script in a Windows PE Image WAIK" in WAIK help document.
3. Unattend.xml
When Windows PE starts, it implicitly looks for a file called Unattend.xml at the root of any bootable device (for example, a USB flash drive or a floppy disk). You can also specify an Unattend.xml file by using Startnet.cmd and Wpeinit.exe.
To learn more about creating an answer file, please see the Building an Answer File chapter in WAIK help document.
Moreover, no matter what method we choose, this script should at least include the following functions:
1) Enumerate all the install images stored on the USB disk
2) Format the local disk
3) Apply the install image from USB disk to local disk as ImageX tool provided
If you want to add OEM logo to the properties page of "My Computer" in WIndows Server 2008, you can:
1. Open regedit and goto: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
You may need to manually create this key if it doesn't exist.
2. Right-click this key and in right-side pane, create the following string values and set their values as shown below:
Logo - path_of_OEMlogo.bmp_file
Manufacturer - Any_desired_name
Model - Any_desired_name
SupportHours - Any_desired_time_amount_like_24x7
SupportPhone - Any_desired_phone_number
SupportURL - Any_desired_URL
NOTE: OEMlogo.bmp file should be 96x96 in size and can be placed at any location.
3. Open System Properties (may need rebooting) by right-clicking on My Computer icon on desktop and select Properties, you will see your desired entries in System section and another section will also be created with the same name as you entered in Manufacturer String value. The OEMlogo.bmp file will be shown in right-side of System section.
Microsoft have an article giving the detailed information about how to install a language pack to an offline image.
Install a Language Pack to an Offline Image:
http://technet2.microsoft.com/windowsvista/es/library/2d7ae7cb-2054-452d-a669-e766782701853082.mspx?mfr=true
Here are some major steps:
1. Install Windows AIK with the default settings. Then you can use some command-line tools such as "imagex" by clicking "Start -> All Programs -> Microsoft Windows AIK -> Windows PE Tools Command Prompt", and you can use Windows System Image Manager by clicking " Start -> All Programs -> Microsoft Windows AIK -> Windows System Image Manager".
2. Create an answer file that contain " <source location="C:\LPs\fr-FR\lp.cab" />" (you may need to adjust it to your situation).
3. Mount the image to an empty folder.
4. Use Package Manager to apply the unattended installation answer file to the mounted Windows image.
5. Use intlcfg to configure the image appropriately.
6. Unmount the .wim file and commit the changes.
During the process, you need Windows AIK, and you can download it from http://www.microsoft.com/downloads/details.aspx?FamilyID=94bb6e34-d890-4932-81a5-5b50c657de08&DisplayLang=en
Here is a brief introduction on the deployment service in Windows Server 2008:
Generally speaking, we can divide the deployment processes into two parts, generating an image and installing the image.
How to generate an image:
=================
You can manually create an image (either syspreped image or images from the Setup media) that you want to deploy to computers, including some drivers, applications, packages and unattend answer file. You can use some tools such as imagex and pkgmgr (included in Windows AIK) to modify the image.
If you think that modification of the image is much complicated, well, you can try the BDD 2007. It helps you generate an image automatically, associating the image with drivers, applications, packages and so on.
How to install the image:
================
Of course, you can install an operating system directly from the Setup media.
Or, after generating the image (including the boot image and the install image), in whatever way, you can burn it into a DVD media and then use this DVD to install the operating system onto computers.
If you want to deploy the operating system through the network, you can use one of three methods:
1. You can use BDD 2007. However, you may also need to burn the boot image (Windows PE) onto a DVD media and use this DVD to install the operating system.
2. If you use WDS server, you can install the operating system thoroughly through the network without any DVD or removable media.
3. You can also manually deploy the install image by using some command-line tools including in Windows AIK. However, this is not easy to do.
So, Windows AIK provides a lot of tools, such as imagex and pkgmgr, to help you modify the image (boot image and install image) and create unattended answer files. BDD 2007 helps you generate an image automatically, if you think that manually modifying an image is a complicated work.
If you want to deploy an image and if you are in an Active Directory domain environment, I would like to suggest that you use WDS, as it has some advantages than BDD, such as WDS cooperates with Active Directory and you can apply some policies to restrict the deployment processes.
For more detailed information, you may need to read these articles:
WDS step by step guide - http://technet2.microsoft.com/windowsserver2008/en/library/7d837d88-6d8e-420c-b68f-a5b4baeb52481033.mspx?mfr=true
The Microsoft Web Deployment Tool (MS Deploy) is a utility that you can use to migrate your Web server or Web site from a computer that is running Information Services (IIS) version 6.0 on Microsoft Windows Server 2003 to a computer that is running IIS 7.0 on Windows Server 2008.
You can find more detail of the tool in here:
http://www.iis.net/download/webdeploy
http://technet.microsoft.com/en-us/library/dd569059(WS.10).aspx
You can add a batch file either in Windows PE image or in Windows setup image. If the batch file is added in Windows PE image, it will execute in the boot process of Windows setup. If in Windows setup image, it will process in Windows setup.
<1>For adding a Custom Script in Windows PE image:
=======
Step 1: Set up a Windows PE Build Environment
In this step, you will create a required directory structure that supports building a Windows PE image.
1. On your computer, click Start, point to All Programs, point to Windows OPK or Windows AIK, and then click Windows PE
Tools Command Prompt.
The menu shortcut opens a Command Prompt window and automatically sets environment variables to point to all the
necessary tools. By default, all tools are installed at C:\Program Files\<version>\Tools, where <version> can be
Windows OPK or Windows AIK.
2. At the command prompt, run the Copype.cmd script. The script requires two arguments: hardware architecture and
destination location. For example, copype.cmd <arch> <destination>
3. Where <arch> can be x86, amd64, or ia64 and <destination> is a path to the local directory. For example, copype.cmd
x86 c:\winpe_x86
4. The script creates the following directory structure and copies all the necessary files for that architecture. For example,
\winpe_x86
\winpe_x86\ISO
\winpe_x86\mount
Step 2: Mount the Base Windows PE Image
In this step, you will mount the base image to a local directory so that you can add or remove packages.
1. At the command prompt, mount the base Windows PE image (Winpe.wim) to the \mount directory by using ImageX.
For example,
imagex /mountrw c:\winpe_x86\winpe.wim 1 c:\winpe_x86\mount
Step 3: Add Customized script
1. Create a text file called Winpeshl.ini by using a text editor (such as Notepad) with the following structure.
For example,
[LaunchApp]
AppPath = %SYSTEMDRIVE%\myshell.exe
[LaunchApps]
%SYSTEMDRIVE%\mydir\application1.exe, -option1 -option2; application2.exe, -option1 -option2
2. Set the AppPath entry to the path to your shell application. The path can be either fully qualified or can use environment
variables, such as %SYSTEMROOT%\System32\Myshell.exe. The AppPath entry does not support command-line
options.
3. Manually save the file to %SYSTEMROOT%\System32 of your custom Windows PE image.
Step 4: Commit Changes to the Image
In this step, you commit the changes to the original image file (Winpe.wim) by using the ImageX /unmount option with the /commit option. For example, imagex /unmount c:\winpe_x86\mount /commit
<2>For adding a Custom Script in Windows setup image:
========
You can make further customizations after Windows Setup completes by adding commands to the %WINDIR%\Setup\Scripts\SetupComplete.cmd file.
This file enables you to install additional applications, run custom Windows scripts (cscript/wscript), or make other modifications to the system before a user logs on.
For more information, please refer to the help document of Windows Automated Installation Kit (Windows AIK).
You can download Windows AIK from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c7d4bc6d-15f3-4284-9123-679830d629f2&DisplayLang=en
First of all, you need to install the AIK tool, then reference the following steps:
STEP 1 :
C:\Program Files\Windows AIK\Tools\x86>imagex /mountrw e:\boot.wim 1 e:\boot
ImageX Tool for Windows
Copyright (C) Microsoft Corp. All rights reserved.
Mounting (RW): [e:\boot.wim, 1] ->
[e:\boot]
Successfully mounted image (RW).
C:\Program Files\Windows AIK\Tools\x86>
STEP 2 :
C:\Program Files\Windows AIK\Tools\PETools>peimg /inf=C:\DriverFolder\driverfile.inf e:\boot
Preinstallation Environment Image Setup Tool for Windows
Copyright (C) Microsoft Corporation. All rights reserved.
Installing INF package: C:\DriverFolder\driverfile.inf
PEIMG completed the operation successfully.
C:\Program Files\Windows AIK\Tools\PETools>
STEP 3 :
C:\Program Files\Windows AIK\Tools\x86>imagex /unmount /commit e:\boot
ImageX Tool for Windows
Copyright (C) Microsoft Corp. All rights reserved.
Unmounting: [e:\boot]...
Successfully unmounted image.
C:\Program Files\Windows AIK\Tools\x86>
A students ask about what permission required to admin WDS,
If WDS server is installed on a DC, either Domain admins group or administrators group must be
required to successfully access WDS server via local remote MMC console.
For the requested permission for WDS manipulation, please refer to the following link:
Required Permissions:
http://technet.microsoft.com/en-us/library/cc754005(WS.10).aspx
If you got slow performance when use WDS to deploy windows, you may reference these articles:
Analyzing Performance Problems:
http://technet2.microsoft.com/windowsserver2008/en/library/f5460bee-fc3a-4abc-8826-a351f432c7721033.mspx?mfr=true
Beside, using the multicast transmission may be a little helpful. For more details about how to use it, please take a look at the "Steps for creating a multicast transmission" part in the following article,
Step-by-Step Guide for Windows Deployment Services in Windows Server 2008:
http://technet2.microsoft.com/windowsserver2008/en/library/7d837d88-6d8e-420c-b68f-a5b4baeb52481033.mspx?mfr=true
A student asked about the new Windows Server Foundation, after some searching, I found that new server have quite a lot of limitation as follow:
Foundation is targeted at small server environments. Foundation is pre-installed on servers with up to 8 GB of RAM and a single processor. Up to 15 user accounts are included with the OS, including use of Active Directory. Windows Server Client Access Licenses (CALs) are not required for use of the Foundation server, but terminal server CALs and Rights Management CALs may be required. Roles include DHCP, DNS, file server, and print server. Foundation is capable of running line of business server applications for small businesses. Foundation is supposed to make initial purchasing simple for small networks to provide a single server solution for all IT needs. Foundation is a lesser-powered server than the popular Windows Small Business Server (SBS), which has additional options including Exchange, SharePoint, and SQL Server.
So, if you company have over 15 users, I would suggest to use Windows Server SBS, which can support up to 75 users.
If you want to deploy different client computers with different unattended files, you can use the following steps:
Steps:
==========
1. Create a prestaged account for the server which you want to deploy to.
You can do this either by using the Active Directory Users and Computers MMC snap-in console, or by using the WDSUTIL command-line utility as "WDSUTIL /Add-Device /Device:<name> /ID:<ID>", where the ID is the GUID or MAC address of the computer you want to prestage.
For more details about WDSUTIL utility, please refer to:
Wdsutil:
http://technet2.microsoft.com/windowsserver2008/en/library/3a1965a0-8677-40cc-9495-30ae806808d11033.mspx?mfr=true
2. Set this computer to use a customized unattend file.
Open an elevated Command Prompt window. Run "WDSUTIL /Set-Device /Device:<name> /WDSClientUnattend:<path>" (without the quotation), where <path> is the relative path to the unattend file you want from the Remote Install shared folder.
For more details about this, please refer to:
How to Manage Client Computers:
http://technet2.microsoft.com/windowsserver2008/en/library/7d837d88-6d8e-420c-b68f-a5b4baeb52481033.mspx?mfr=true
A student asked how to change the ram disk setting of WinPE, i found that you can use a batch file to do so:
The following batch file to set the ramdrive to 96MB -
CODE:
----------------------------------------------------------------------------
@echo off
setlocal
set PATHTOPE=c:\winpe_x86
imagex.exe /mountrw %PATHTOPE%\ISO\sources\boot.wim 1 %PATHTOPE%\mount
reg load HKLM\_WinPE_SYSTEM %PATHTOPE%\mount\windows\system32\config\system
reg.exe add "HKLM\_WinPE_SYSTEM\ControlSet001\Services\FBWF" /v "WinPECacheThreshold" /t REG_DWORD /d "96" /f
reg unload HKLM\_WinPE_SYSTEM
pause
endlocal
---------------------------------------------------------------------------
Edit the path to reflect the location of your WinPE files. The script will mount the contents of boot.wim via ImageX, it will then load the SYSTEM reg hive, add the relevant key, then unload the reg hive.
I've not tested the above script but it has been adapted from the build scripts I've been using for a while. Once the script has been run just build your PE CD (or USB) as normal and boot.
If you use mirror feature in Windows Server and found that the drive letter was changed after the failure of a mirror member, you can try the following steps to restore the dive letter.
WARNING!!! WARNING!!! WARNING!!!
Backup the whole server before doing the following steps! Use it at your own risk!
System/Boot Drive Letter
How to back up and restore the registry in Windows
- Make a full system backup of the computer and system state.
- Log on as an Administrator.
- Start Regedt32.exe.
- Go to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
- Click MountedDevices.
- On the Security menu, click Permissions.
- Verify that Administrators have full control. Change this back when you are finished with these steps.
- Quit Regedt32.exe, and then start Regedit.exe.
- Locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
- Find the drive letter you want to change to (new). Look for "\DosDevices\C:".
- Right-click \DosDevices\C:, and then click Rename.
Note You must use Regedit instead of Regedt32 to rename this registry key.
- Rename it to an unused drive letter "\DosDevices\Z:".
This frees up drive letter C.
- Find the drive letter you want changed. Look for "\DosDevices\D:".
- Right-click \DosDevices\D:, and then click Rename.
- Rename it to the appropriate (new) drive letter "\DosDevices\C:".
- Click the value for \DosDevices\Z:, click Rename, and then name it back to "\DosDevices\D:".
- Quit Regedit, and then start Regedt32.
- Change the permissions back to the previous setting for Administrators (this should probably be Read Only).
- Restart the computer.
Many of my students ask about why they can't use a "simple" password in 2008 server, the reason is the default "Password" setting in 2008:
A default Windows Server 2008 installation has the "Password must meet complexity requirements" option enabled in the local policy. This will force the user to come up with a complex password. The new password must meet the following minimum requirements:
- The password is at least six characters long.
- The password contains characters from three of the following four categories:
- English uppercase characters (from A through Z)
- English lowercase characters (from a through z)
- Base 10 digits (from 0 through 9)
- Non-alphanumeric characters (for example: !, $, #, or %)
- The password does not contain three or more characters from the user’s account name. If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user’s full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes, hyphens, underscores, spaces, number signs (#), and tab characters. Each token that is three or more characters long is searched for in the password, and if it is present, the password change is rejected. For example, the name “Erin M. Hagens” would be split into three tokens: “Erin,” “M,” and “Hagens.” Because the second token is only one character long, it would be ignored. Therefore this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password. None of these checks are case-sensitive.
More Posts
Next page »